Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

閱讀文章分享@若渴 2016.1.24

934 views

Published on

閱讀文章分享

  • Be the first to comment

閱讀文章分享@若渴 2016.1.24

  1. 1. 閱讀文章分享@若渴 2016.1.24 <ajblane0612@gmail.com> AJMachine https://cve4fun.hackpad.com/
  2. 2. 關注動態方式 • 閱讀文章我先找出 • 有沒有fb粉專 • 有沒有YouTube訂閱 • Twitter • FB其實蠻好用的 • 粉專->點讚->搶先看 • 每天打開fb看的都是關於資安的新聞 • 分享至自己動態,告知自己要看什麼
  3. 3. SMI到底是軟還是硬呢XD?可軟可硬 • SMM code completely unaccessible from OS and OS can’t even notice when exactly SMI is being executed. There’s a several ways to generate SMI: • Ring 0 code can trigger software SMI at any time by writing some byte value to APMC I/O port B2h. • Internal chipset registers (SMI_EN, GEN_PMCON_1 and others) that accessible via PCI config space allows to enable or disable different kind of hardware SMI sources. • You can route hardware interrupts into SMM by reconfiguring of advanced programmable interrupt controller (APIC) that integrated into CPU. • I/O instruction restart CPU feature (chapter 34.12 of IA-32 Architectures Software Developer’s Manual) allows to generate SMI on any I/O port access by IN or OUT processor instruction. 節錄Building reliable SMM backdoor for UEFI based platforms
  4. 4. Outline •The memory sinkhole •Undefined behavior: what happed to my code •The impact of GPU-assisted malware on memory forensics: a case study •SLOTH •ATM HTTPS bicycle attack
  5. 5. The Memory Sinkhole • In Intel, Ring 3 – Userland, Ring 0 – Kernel, Ring-1 - Hypervisor, Ring-2 – SMM has the firmware, all the most critical security checks • SMM hides from Ring 0 • System Management RAM (SMRAM) is only accessible to SMM • SMM handler • System Management Interrupt (SMI) toggles SMM • SMM handler • 抓DSC structure(Global Descriptor Table, Segment selectors,..)來對此結構初始化 • Attack技巧 • 使用APIC remap,把APIC payload (都為0)對應至DSC structure (SMRAM) • 經過SMM handler執行完會跳至0x10:0x8077的位置去執行。
  6. 6. SMM Security 節錄The Memory Sinkhole : An architectural privilege escalation vulnerability
  7. 7. The APIC Remap Attack 節錄The Memory Sinkhole : An architectural privilege escalation vulnerability
  8. 8. 節錄The Memory Sinkhole : An architectural privilege escalation vulnerability
  9. 9. Undefined Behavior: What Happed to my Code • Undefined behavior • Null Pointer Dereference • Oversize Shit • Singed Integer Overflow • Out-of-Bounds Pointer • Type-Punned Point Deference • Uninitialized Read • 程式碼的行為在C規格書上沒有定義,而c沒有定義的行為,各個 compiler會有不同狀況的處理,有可能把code移除,造成跟預期 結果不一樣,產生漏洞主角: compiler。= =||
  10. 10. Out-of-Bounds Pointer • 指標的加減是Undefined behavior,所以要來看compiler會做什麼事, 如下code • end < buf 會被Clang轉成 • buf + size < buf • size < 0 • 之後它會刪除if (end < buf) { ... } 整個branch ,原本要避免Singed Integer Overflow (!!)
  11. 11. Type-Punned Point Deference • C有嚴格限制aliasing(兩個指標指向同一個記憶體做存取),但你往 往會aliasing導致undefined behavior,此行為會導致compiler沒辦 法最佳化 • 使用C的union,告知compiler我們是 一樣的,如以下code 節錄http://stackoverflow.com/questions/98650/what-is-the-strict-aliasing-rule
  12. 12. PIC/GSM Address Space Layout on Intel Haswell • PIC bus for GPU or DMA • CPU view • MMIO有一部分保留給PIC bus • DRAM view • MMIO記憶體範圍是看不到的,所以就看不到PIC bus • Intel解法 • 在CPU view上設定位置TOLUD至4GB給MMIO,所以DRAM view 就可以看到相同的位置空間。 • Graphic Stolen Memory (GSM) • CPU view大部分不能存取的,有GTT部分可以存取。 • 組成 • Graphics Translation Tables (GTT) : 告知GPU virtual-to-physical 可由BIOS階段設定 • Data Range (programming space)
  13. 13. The Impact of GPU-assisted Malware on Memory Forensics: a Case Study • 建立buffer object 在Graphics Execution Manage (GEM) subsystem(不 在GSM裡),可被CPU和GPU domains看到,使用不同的virtual address • OS page table • graphic page table • 攻擊手法 • GPU修改在GSM的graphic page table,原本對應 buffer object但可經由修 改存取到CPU使用memory的資料。
  14. 14. 只是想了解為什麼hash collision跟TLS有關 SLOTH(CVE-2015-7575) 源自Transcript Collision Attacks: Breaking Authentication in TLS, IKE, and SSH
  15. 15. Client 認證可過,代表MitMA可以假 裝Client C
  16. 16. Tyupkin ATM malware in the ATM
  17. 17. 你知道台灣人怎做嗎?

×